#1  
Old 24th June 2011, 03:19
flubdgub flubdgub is offline
Junior Member
 
Join Date: Jun 2011
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default OpenLDAP ACL Help

I have OpenLDAP openldap-2.3.43 running on CentOS5.6, configured with TLS.

Everything is working fine, server is running, clients authenticate -- UNIX accounts via ou=People, Web accounts via ou=WebPeople.

I can add and manage users using the 'rootdn' account...

BUT I'd like to have some "Managers" for subgroups, and I can't figure out how to make ACL's to do this.

All Apache 'web accounts' are made in this ou:
ou=WebPeople,dc=example,dc=com

All Apache 'web master' accounts are made in this ou:
ou=WebManagers,dc=example,dc=com


WHat I did:

-- Made a WebManagers ou, and added webmaster user to it:

dn: uid=webmaster,ou=WebManagers,dc=example,dc=com
objectClass: inetOrgPerson
cn: Web Master
sn: WebMaster
uid: webmaster
userPassword: <SNIP>
ou: WebManager

-- Added this ACL to /etc/openldap/slapd.conf:

##
## ACL1
##

access to dn.one="ou=WebPeople,dc=example,dc=com"
attrs=children
by group.exact="ou=WebManagers,dc=example,dc=com" write
by users read


-----

When I do this, UNIX authentication (ou=People) no longer works. I have to disable the ACL's to get it back.

Basically I need help writing the ACL's properly... Here's my slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath /usr/lib64/openldap

# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.

TLSCertificateFile /certs/ldapscert.pem
TLSCertificateKeyFile /certs/keys/ldapskey.pem
TLSCipherSuite TLSv1+RSA:!NULL
TLSVerifyClient never

#disallow bind_anon
#require bind
#security simple_bind=128


################################################## #####################
# ACL's
################################################## #####################
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
## access to dn.base="" by * read
## access to dn.base="cn=Subschema" by * read


##
## ACL1
##

##If I uncomment this, UNIX authentication to ou=People breaks

#access to dn.one="ou=WebPeople,dc=surfads,dc=com"
# attrs=children
# by group.exact="ou=WebManagers,dc=surfads,dc=com" write
# by users read


# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

################################################## #####################
# ldbm and/or bdb database definitions
################################################## #####################

database bdb
suffix "dc=example,dc=com"
rootdn "cn=ldapadmin,dc=example,dc=com"
rootpw {SSHA}<SNIP>

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM


----------------------

Thank-you!
Reply With Quote
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid Proxy Configuration hellseeker Installation/Configuration 4 17th September 2012 20:36
setup squid3 sureshk89 HOWTO-Related Questions 0 20th December 2010 07:22
squid port 443 problem. abid HOWTO-Related Questions 1 26th March 2009 17:08
Help with Bluetooth PAND josto HOWTO-Related Questions 1 7th August 2007 20:53
Squid Problem tommyboy180 HOWTO-Related Questions 10 21st May 2007 14:32


All times are GMT +2. The time now is 10:55.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.